2 Answers

There is no need to mention the Source element if you are passing token in request.header.authorization.

By default, the JWT is retrieved from the variable request.header.authorization. In this case, Edge looks for the JWT in the request Authorization header. If you pass the JWT in the Authorization header, you do not need to include the Source element in the policy; however, you must include Bearer in the auth header.

Can you show me the format of the "ahrd coded key" that you include in the configuration like this:

<PublicKey> <JWKS> { "keys": [ { --my key goes here-- }] }

Instead of showing me that half config with "my key goers here", show the actual config, from the open PublicKey element to the closing PublicKey element, including the serialized form of the public key.

The key that you provide in "my key goes here" - what does it look like? In what form is it encoded?

Typically the public key is PEM-encoded, but in some cases it uses the JWKS format. For the latter, your configuration should look something like this: